Insights and highlights: FAIR Institute Europe Summit 2024

The FAIR Institute Europe Summit 2024 was an eventful one-day event that brought together cyber experts, regulators, practitioners, and decision makers from across Europe and the US. This year’s theme of “Managing Cyber Risk Management in the Age of New Incident Disclosure Rules” was woven into the fabric of every presentation and panel. There were also presentations on the new FAIR working groups and tools: FAIR-MAM, FAIR-CAM, FAIR-AIR, and FAIR-TAM. 

In his welcome address, Nick Sanna, the founder of the FAIR Institute, set the tone for the Summit. He painted a vivid picture of the current cyber risk landscape, where the economics of adversaries are improving while the financial burden of security measures and the costs of breaches are increasing. “You cannot win the compliance battle without addressing the economics.” Nick argued that the traditional, sluggish compliance models are ineffective, underscoring the urgency for a paradigm shift toward risk-based Cyber Risk Management that keeps pace with rapid business decision-making. His vision is for a rigorous business science – a quantitative, business-driven model that demonstrates compliance to regulators, reduces waste, and increases competitive advantage. 

The first panel of the day, moderated by Anne Leslie of IBM, discussed the significance of the NIS2 Directive and the EU’s Digital Operational Resilience Act (DORA). The speakers touched on the similarities and ambiguities of the two legislative acts – focusing on risk management, third parties, incident notification and cross-border data flows. For the new regulations to bring positive change, everyone needs a seat at the table. IT, legal and business functions all need to define a common glossary of terms for improved understanding and prioritization. 

GenAI is a new breed of risk facing cyber risk professionals. Panelists Gérôme Billois, partner at Wavestone, Sabine Marcellin an IT Lawyer at Oxygen+, and Jacqueline Lebo, a Risk Advisory Manager in Security Services at Safe Security shared stories about the challenges and failures of GenAI, such as the augmented video surveillance planned for the Paris Olympics, the Air Canada chatbot lawsuit, and RiteAid’s facial recognition failures. GenAI is a new kind of technology that brings new risks to an organization. The consensus was that AI policies need to be developed internally with all stakeholders, and preferably before launching any GenAI tools. 

Leaders in Cyber Risk Quantification from Richemont and Econocom shared their insights on building and growing an internal quantitative cyber risk management program and winning support from the board and interest from other businesses within the group.  

The VP of Cyber Risk and Assurance at GSK, Meena Martin, shared how GSK is developing a third-party risk management model that is data-driven, risk-based, agile and continuous. This program will be supported by FAIR-TAM as it advances.  

The afternoon keynote presented by the FAIR Institute Chairman Emeritus Jack Jones. Jack emphasized that technical sophistication does not equal domain maturity. If you can identify and prioritize what matters, then you will not be able to move away from reactive risk management to truly proactive cyber risk management. 

The CXSO panel moderated by Thiébaut Meyer, Director, Office of CISO at Google Cloud discussed challenges of managing cyber risk with the new regulatory disclosures. Benoit Fuzeau, CISO at CASDEN and president of CLUSIF emphasized that training is a major element in compliance. The consensus from the panelists was that compliance does not equal security. 

Rob Moore of Mastercard and David Steng of Fresinus shared their experiences implementing FAIR in their own companies. Rob said that in his experience “FAIR is like a superpower.” David agreed, saying that monetary measures make it easier to advance a security budget and communicate with executives.  

‍

To close the day, Tom Callaghan, co-founder of C-Risk moderated a panel with Frédéric Bouveresse and Francesco Chiarini on MITRE and FAIR-CAM. A question that was posed by the panel, “How does a regulatory framework change resilience?” They pointed out that a framework is only a starting point and you have to adapt to be effective. Francesco provided food for thought to close the discussion, “Resilience is the science of anticipation.” 

The beautiful Salon Hoche in Paris was the perfect setting for the FAIR Summit Europe speakers to share new insights into how cyber risk management can be done successfully using risk-based methods and moving toward a proactive approach that exceeds the evolving regulatory requirements.  

The presentations and panel discussions took different perspectives on how quantitative cyber risk management using FAIR can help achieve compliance objectives and enhance operational resilience. With FAIR, cyber risk professionals can speak the same language as business leaders and decision makers, and leverage data to inform their risk strategies.  

It is exciting to see how quantitative cyber risk management continues to grow in Europe.